The aviation industry largely depends on the reliable functioning of critical information technology infrastructure. Like many other industries, the aviation industry is challenged with providing adequate security for such IT infrastructure and mitigating the effects of any cyber events. Examples of cyber events include malicious or suspicious events that compromise, or attempt to compromise, the operation of an aircraft's network, including its data connections and computing systems. These cyber event mitigation efforts require detection and response both during and after the cyber event.
Prior art security systems, such as SIEM systems, are dedicated to ground-based systems that rely on the availability of ample bandwidth needed for the collection, detection, and sharing of event data. By virtue of being ground-based, such prior art SIEM systems have the benefit of being continuously monitored and updated with the latest malware and virus signatures. Also, ground personnel with cybersecurity expertise are readily available to intervene and troubleshoot the hardware as needed.
However, with the exception of viruses and malware using previously known digital signatures, none of the above-described cyber-attack mitigation functions are readily available for implementation using the aircraft's network and computing resources while an aircraft is in flight. One of the reasons is a lack of sufficient bandwidth while the aircraft is in flight. Another reason is the lack of current software updates and patches on the aircraft's computing systems because the process for obtaining regulatory approval for such software updates typically take about two years. Also, personnel with cybersecurity expertise who understand how to mitigate the attack's effects are typically not on-board while the aircraft is in flight. Consequently, even the simplest mitigation steps that could contain detected cyber events cannot be executed while the aircraft is in flight. Rather, the on-board network server that logs data about the aircraft's operations has to transmit the data to the ground-based system so that proper mitigation steps can be taken when the aircraft lands. Thus, aircraft networks, including its computing systems, are subject to much greater delays in detecting and responding to cyber events.
One prior art attempt at addressing the issue of mid-flight cyber events involves the use of remote SIEM systems wherein the system being monitored is physically remote from the SIEM system itself, such as the Managed Security Services Provider (MSSP) model. However, the following limitations of remote SIEM systems make them unfeasible for use in an in-flight setting: lack of high-bandwidth communications capabilities at all times; lack of multiple alternative communications paths to achieve connectivity; lack of personnel expertise where mitigation/response needs to happen; and lack of capability (due to certification issues required by regulatory bodies) to troubleshoot systems while in flight.
Table 1 shown below illuminates the deficiencies when prior art ground-based SIEM systems (including remote systems) are unable to properly protect an aircraft while in flight, as correlated with the National Institute of Standards and Technology (NIST) cyber security framework references.
TABLE 1Prior ArtNISTGround-On-BoardCyberBasedFunctionality whileSecuritySIEMthe Aircraft is In-FrameworkFunctionSystemsFlightReferenceAccess to High data rate communicationsYesNoDE.CM-7enables Continuous MonitoringIdentification of Cybersecurity eventsIn real timeNot possible on-DE.CM-4,board*DE.CM-5,DE.CM-6,DE.CM-7Event Detection information isIn real timeNot possible in allDE.DP-4,communicated to appropriate parties, eventssituations (dependsRS.CO-1,are reported and voluntary informationon connectivity)RS.CO-3,sharing occurs with external stakeholders toRS.CO-4archive broader cybersecurity awarenessImmediately Accessible High-data rateYesNoRS.AN-1communicationsenables real-timetroubleshooting (analysis)Immediately Accessible High-data rateYesNoRS.CO-5communications and data center data storagecapabilities enables real-time updates toevents and anomaly databases forsubsequent help with troubleshootingExpertise is available virtually (non-YesNoRS.AN-1,collocated, but connected via high-speed2, 3, 4links) or at point of attack, to ensureadequate response and support recoveryImmediately Accessible High-data rateYesNoRS.RP-1,communications enables mitigation to beRS.MI-1,done remotely or else is done on-site toRS.MI-2,prevent expansion of an event, mitigate itsRC.RP-1effects and eradicate the incident*Other than for previously loaded malware signatures
Thus, it is desirable to have an effective system for mitigating the effects of cyber events on an aircraft while in flight.